package org.rsna.servlets;

import java.io.File;
import java.net.URL;
import java.util.Properties;
import org.apache.log4j.Logger;
import org.rsna.server.Authenticator;
import org.rsna.server.HttpRequest;
import org.rsna.server.HttpResponse;
import org.rsna.server.User;
import org.rsna.server.Users;
import org.rsna.util.FileUtil;
import org.rsna.util.StringUtil;

/* loaded from: input_file:MultiframeSplitter/util.jar:org/rsna/servlets/LoginServlet.class */
public class LoginServlet extends Servlet {
    static final Logger logger = Logger.getLogger(LoginServlet.class);

    public LoginServlet(File file, String str) {
        super(file, str);
    }

    @Override // org.rsna.servlets.Servlet
    public void doGet(HttpRequest httpRequest, HttpResponse httpResponse) {
        logger.debug("Request received:\n" + httpRequest.toVerboseString());
        String parameter = httpRequest.getParameter("username");
        String parameter2 = httpRequest.getParameter("password");
        String parameter3 = httpRequest.getParameter("logout");
        if (httpRequest.getPath().endsWith("/ajax")) {
            if (parameter3 == null) {
                httpResponse.setResponseCode(login(httpRequest, httpResponse, parameter, parameter2) ? HttpResponse.ok : HttpResponse.forbidden);
                httpResponse.send();
                return;
            } else {
                Authenticator.getInstance().closeSession(httpRequest, httpResponse);
                httpResponse.send();
                return;
            }
        }
        if (parameter3 != null) {
            Authenticator.getInstance().closeSession(httpRequest, httpResponse);
            redirect(httpRequest, httpResponse);
            return;
        }
        if (parameter != null && parameter2 != null) {
            login(httpRequest, httpResponse, parameter, parameter2);
            redirect(httpRequest, httpResponse);
            return;
        }
        if (httpRequest.hasParameter("skip") && httpRequest.isFromAuthenticatedUser()) {
            redirect(httpRequest, httpResponse);
            return;
        }
        String text = FileUtil.getText(FileUtil.getStream(new File(this.root, "login.html"), "/login.html"));
        Properties properties = new Properties();
        String parameter4 = httpRequest.getParameter("url", "");
        if (isAttack(httpRequest, parameter4)) {
            parameter4 = "";
        }
        properties.put("url", parameter4);
        httpResponse.write(StringUtil.replace(text, properties));
        httpResponse.disableCaching();
        httpResponse.setContentType("html");
        httpResponse.send();
    }

    @Override // org.rsna.servlets.Servlet
    public void doPost(HttpRequest httpRequest, HttpResponse httpResponse) {
        logger.debug("Request received:\n" + httpRequest.toVerboseString());
        login(httpRequest, httpResponse, httpRequest.getParameter("username"), httpRequest.getParameter("password"));
        redirect(httpRequest, httpResponse);
    }

    private boolean login(HttpRequest httpRequest, HttpResponse httpResponse, String str, String str2) {
        User authenticate;
        logger.debug("username = " + str);
        logger.debug("password = " + str2);
        boolean z = false;
        Authenticator authenticator = Authenticator.getInstance();
        if (str != null && str2 != null && (authenticate = Users.getInstance().authenticate(str, str2)) != null) {
            z = authenticator.createSession(authenticate, httpRequest, httpResponse);
            logger.debug("Response headers:\n" + httpResponse.listHeaders("  "));
        }
        if (!z) {
            authenticator.closeSession(httpRequest, httpResponse);
        }
        logger.debug("passed = " + z);
        return z;
    }

    private void redirect(HttpRequest httpRequest, HttpResponse httpResponse) {
        String parameter = httpRequest.getParameter("url");
        if (parameter == null) {
            parameter = httpRequest.getPath();
            if (parameter.endsWith("/" + this.context)) {
                parameter = parameter.substring(0, parameter.length() - this.context.length());
            }
        }
        logger.debug("Redirect URL before test: \"" + parameter + "\"");
        if (parameter.equals("") || isAttack(httpRequest, parameter) || !isSameHost(httpRequest, parameter)) {
            parameter = "/";
        }
        logger.debug("Redirect URL after test: \"" + parameter + "\"");
        httpResponse.redirect(parameter);
    }

    private boolean isSameHost(HttpRequest httpRequest, String str) {
        if (str.startsWith("/") || !str.contains("://")) {
            return true;
        }
        try {
            String host = new URL(str).getHost();
            String host2 = httpRequest.getHost();
            logger.debug("isSameHost: req; \"" + host + "\" url: \"" + host + "\"");
            if (host2.contains(":")) {
                host2 = host2.substring(0, host2.indexOf(":"));
            }
            return host.equals(host2);
        } catch (Exception e) {
            logger.debug("Unable to parse URL:", e);
            return false;
        }
    }

    private boolean isAttack(HttpRequest httpRequest, String str) {
        boolean z = str.contains("\n") || str.contains("\r") || str.contains("<") || str.contains(">") || str.contains("%") || str.contains("javascript");
        if (z) {
            logger.warn("Attack detected from " + httpRequest.getRemoteAddress());
        }
        return z;
    }
}
